integrigy oracle database security vulnerabilities explained

Security Boot Camp Oracle Database Security Vulnerabilities Explained

May 22, 2012

Stephen Kost

Chief Technology Officer

Integrigy Corporation

Phil Reimann

Director of Business Development


Vulnerabilities

Security Bugs

Critical Patch Update

Background

1 2 3 4

Q & A

Agenda

About Integrigy

Products Services

You

AppSentry ERP Application and Database

Security Auditing Tool

AppDefend Enterprise Application Firewall for the Oracle E-Business Suite

Protects Oracle EBS

Validates Security

ERP Applications Oracle E-Business Suite

Databases Oracle, Microsoft SQL Server

Security Assessments ERP, Database, Sensitive Data, Penetration Testing

Compliance Assistance SOX, PCI, HIPAA

Security Design Services Auditing, Encryption, DMZ

Verify Security

Build Security

Ensure Compliance

Integrigy Published Security Alerts Security Alert Versions Security Vulnerabilities

Critical Patch Update April 2012 11.5.10 – 12.1.x Oracle E-Business Suite security architecture issue

Critical Patch Update July 2011 11.5.10 – 12.1.x Oracle E-Business Suite security configuration issue

Critical Patch Update October 2010 11.5.10 – 12.1.x 2 Oracle E-Business Suite security weaknesses

Critical Patch Update July 2008 Oracle 11g

11.5.8 – 12.0.x 2 Issues in Oracle RDBMS Authentication 2 Oracle E-Business Suite vulnerabilities

Critical Patch Update April 2008 12.0.x

11.5.7 – 11.5.10 8 vulnerabilities, SQL injection, XSS, information disclosure, etc.

Critical Patch Update July 2007 12.0.x

11.5.1 – 11.5.10 11 vulnerabilities, SQL injection, XSS, information disclosure, etc.

Critical Patch Update October 2005 11.0.x, 11.5.1 – 11.5.10 Default configuration issues

Critical Patch Update July 2005 11.0.x, 11.5.1 – 11.5.10 SQL injection vulnerabilities and Information disclosure

Critical Patch Update April 2005 11.0.x, 11.5.1 – 11.5.10 SQL injection vulnerabilities and Information disclosure

Critical Patch Update Jan 2005 11.0.x, 11.5.1 – 11.5.10 SQL injection vulnerabilities

Oracle Security Alert #68 Oracle 8i, 9i, 10g Buffer overflows Listener information leakage

Oracle Security Alert #67 11.0.x, 11.5.1 – 11.5.8 10 SQL injection vulnerabilities

Oracle Security Alert #56 11.0.x, 11.5.1 – 11.5.8 Buffer overflow in FNDWRR.exe

Oracle Security Alert #55 11.5.1 – 11.5.8 Multiple vulnerabilities in AOL/J Setup Test Obtain sensitive information (valid session)

Oracle Security Alert #53 10.7, 11.0.x

11.5.1 – 11.5.8 No authentication in FNDFS program Retrieve any file from O/S

Q & A Vulnerabilities

Security Bugs

Agenda

2 3 4


Background

1

Oracle Critical Patch Updates

Fixes for security bugs in all Oracle products - Released quarterly on a fixed schedule - Tuesday closest to the 17th day of January, April, July and

October - Next CPUs = July 17, 2012 and October 16, 2012

Thirty CPUs released to date starting with January 2005 - 1,379 security bugs fixed (average is 47 bugs per CPU) - 433 bugs in the Oracle Database - 236 bugs in the Oracle E-Business Suite

Oracle Security Bugs per Quarter

0

1

2

3

4

5

6

7

8

9

10

0

25

50

75

Jan

-05

Ap

r-0

5

Jul-

05

Oct

-05

Jan

-06

Ap

r-0

6

Jul-

06

Oct

-06

Jan

-07

Ap

r-0

7

Jul-

07

Oct

-07

Jan

-08

Ap

r-0

8

Jul-

08

Oct

-08

Jan

-09

Ap

r-0

9

Jul-

09

Oct

-09

Jan

-10

Ap

r-1

0

Jul-

10

Oct

-10

Jan

-11

Ap

r-1

1

Jul-

11

Oct

-11

Jan

-12

Ap

r-1

2

Ma

xim

um

CV

SS

2.0

Sco

re

Se

cu

rity

Bu

g C

ou

nt


Database Bugs E-Business Suite Bugs Database CVSS 2.0 E-Business Suite CVSS 2.0

Oracle Security Bug Process

1. Customer or security researcher reports

security bug to Oracle

2. Oracle researches bug and develops bug fix - Finder not allowed to test fix or even notified about fix

3. Oracle may first include fix in new releases - No notification of security fixes to customers

4. Oracle includes fix in quarterly CPU

- From initial report to security patch

release is 3 months to 3 years

Bug reported

Bug fixed

Elapsed time on

average is 18 months

Vulnerability may be fixed first in a new version (e.g., 11.2.0.2)

before through a Critical Patch Update with no notification

Duration = 3 months to 3 years

Duration = 3 months to 3 years

Oracle Notified

Oracle Notified

Fixed in Main Code Line

CPU Patch Created & Released

New Version Released

Fixed in Main Code Line

CPU Patch Created & Released

New Version Released

Sce

na

rio

B

Sce

na

rio

A

Oracle Security Bug Process

Critical Patch Updates Baselines

Database Version

Upgrade Patch Included CPU

10.2.0.4 April 2008

10.2.0.5 October 2010

11.1.0.6 October 2007

11.1.0.7 January 2009

11.2.0.1 January 2010

11.2.0.2 January 2011

11.2.0.3 July 2011

At time of release, usually the latest available CPU is included

Database CPU Support

Database Version Terminal CPU

10.1.0.5 January 2012 (b)

10.2.0.4 July 2011 (a)(c)

10.2.0.5 July 2013 (b)

11.1.0.7 July 2015 (b)

11.2.0.1 July 2011 (a)

11.2.0.2 January 2013 (a)

11.2.0.3 July 2014 (d)

(a) Oracle CPU Support Date (b) Oracle Lifetime Support Date (c) Supported only on limited platforms (d) Estimated by Integrigy

Security Bugs


Background

1 3 4

Q & A

Agenda

Vulnerabilities

2

Oracle Database Vulnerability Breakdown

~40% SQL Injection ~20% Buffer Overflow ~10% Privilege or Permission Issue ~30% Other

Total Vulnerabilities = 433

% of Bugs Exploitable with No Auth

For the CPUs January 2007 through January 2012 (47 of 253 database bugs)

19%

% of Bugs PUBLIC Exploitable


53%

% of Published Exploits PUBLIC Exploitable


44%

Who can exploit a PUBLIC bug?

Anyone with a database account

Remember those application accounts with generic passwords such as APPLSYSPUB/PUB in Oracle E-Business Suite

Vulnerabilities


Background

1 2 4

Q & A

Agenda

Security Bugs

3

Oracle Security Bug Walkthrough

SQL Injection January 2009 – MDSYS.SDO_TOPO_DROP_FTBL Trigger (CVE-2008-3979)

Privilege Issue April 2010 – Java Public Privilege on DBMS_JVM_EXP_PERMS (CVE-2010-0867)

Design Flaw January 2012 – Oracle SCN Escalation (CVE-2012-0082)

SQL Injection – SDO_TOPO_DROP_FTBL

Vuln # Component Protocol Package and/or

Privilege Required Remote Exploit without Auth.?

CVE-2008-3979 Oracle Spatial Oracle Net Drop Table,

Create Procedure

No

CVSS VERSION 2.0 RISK Last Affected Patch set

(per Supported Release)

Base Score Access Vector Access

Complexity Authentication Confidentiality Integrity Availability

5.5 Network Low Single Partial+ Partial+ None 10.1.0.5, 10.2.0.2

Privilege Issue – DBMS_JVM_EXP_PERMS



CVE-2010-0867 Java VM Oracle Net Create Session No





4.0 Network Low Single None Partial+ None 10.2.0.4, 11.1.0.7,

11.2.0.1.0

Design Flaw – Oracle SCN



CVE-2012-0082 Core RDBMS Oracle Net Create Session No





5.5 Network Low Single None Partial Partial+

10.1.0.5, 10.2.0.5, 11.1.0.7, 11.2.0.3

Oracle Database SCN

System Change Number (SCN)

A database ordering primitive. The value of an SCN is the logical point in

time at which changes are made to a database.

Internal Timestamp SCNs order events within the database,

which is necessary for redo and read

consistency

281 Trillion Limit 48-bit number – 500 year limit –

immaterial for this discussion

Current Maximum SCN Database cannot exceed “time-based

rationing system” for SCNs which is

recalculated every second = seconds

since 1988 * 16384

ORA-600 errors occur if the Current

Maximum SCN is exceeded

SCN Illustrated

281 trillion

Current Maximum

SCN seconds since

1/1/1988 * 16,384

Current SCN

increases +16,384 every second

increases +1 every change

281 trillion upper limit will not

be reached for 500 years –

this limit really doesn’t matter

Current Maximum SCN

increases +16,384 every

second

Current SCN increases +1

with most changes

Current SCN cannot exceed

Current Maximum SCN –

otherwise ORA-600 [2252]

for any changes

SCN Increments

1 Each database change Transaction commits

Transactions within same second may have same SCN

2 Distributed transactions – database links Synchronizes local and remote databases to highest SCN

3 Software bugs ALTER DATABASE BEGIN BACKUP – doesn’t turn off

How many more issues exist?

“However, Oracle has determined that some software bugs could cause the database to exceed the current maximum SCN value.” “All the associated bugs have been fixed in the January 2012 CPU (and associated PSU).”

Oracle Bulletin, 17 January 2012

Design Flaw vs. Software Bug

Known software bugs are fixed in the January 2012 Critical Patch Update

Any new bugs still can cause errors when the current maximum SCN is exceeded

“But with steadfast consistency, Oracle has characterized the risk posed by these problems as minimal. “

InfoWorld, January 23, 2012

January 2012 Critical Patch Update

1 Known SCN escalation bugs fixed

ALTER DATABASE BEGIN BACKUP fixed

One or more other bugs fixed

2 Database Link SCN Sanity Check

Database links from remote databases where the remote SCN is

within <x> of the Current Maximum SCN will be rejected

Hidden parameter _external_scn_rejection_threshold_hours

added for 10g and 11.1 with a default of 24 hours

SCN Flaw State after Jan 2012 CPU

1 Fundamental flaw will always exist

January 2012 CPU fixes bugs, but not the fundamental flaw

It is still possible to stop database processing if SCN can be made to

exceed Current Maximum SCN

2 Database link risk still exists

Window of exceeding the Current Maximum SCN has been

minimized to a few hours

Worst-case scenario is database will be unavailable for several hours

Must have a window for SCNs due to time zone differences and clock

discrepancies

Overview

Organization with about

150 production Oracle

Databases

Integrigy assessed 15 key

SOX and PCI compliance

Oracle databases

Reviewed database links

for connectivity and

appropriateness

Conclusion

Database links are widely

used in most organizations

Database Link Case Study

2

1

3

4

6

7

5

9 12

8

10

11

13

14

15

Example SCN Current State

Current Maximum SCN = 12,691,246,776,320

Instance Version Current SCN

Database A 10.2.0.5 8,399,825,495,842

Database B 10.1.0.4 5,965,078,978,284

Database C 10.2.0.4 8,399,825,745,153

Database D 10.2.0.4 8,399,826,124,718

Database E 9.2.0.7 8,399,825,011,234

Database F 10.2.0.4 8,399,826,360,924

Risk: Single Database

1 Limited risk to a single database

Difficult to escalate the SCN beyond the Current Maximum SCN without

DBA privileges - must set init parameters and bounce database

Possible to crash a database with a directed attack (google: gokan atil scn)

2 Databases near Current Maximum SCN most

at risk

It is possible to increase the SCN rate per second with low overhead

transactions, but to exceed a rate of 16,384 per second is difficult

Must sustain for a long period to catch up to Current Maximum SCN

Risk: Interconnected Databases

1 Accidental risk is low

Requires a triggering event (such as ALTER DATABASE BACKUP bug)

for escalated SCN rate on a high transaction volume database

Will cascade through all interconnected databases

2 Malicious attack is feasible, but practical?

Only requires access to a database account with CREATE SESSION on at

least one database

January 2012 CPU reduce possible impact

No known attack methods that would require databases to be rebuilt

(export/import)

Vulnerabilities

Security Bugs


Background

1 2 3

Agenda

4

Q & A

Contact Information

Stephen Kost

Chief Technology Officer


web: www.integrigy.com

e-mail: [email protected]

blog: integrigy.com/oracle-security-blog

youtube: youtube.com/integrigy

integrigy oracle database security vulnerabilities explained

Documents